[Freeipa-devel] [freeipa PR#471][opened] Fix some privilege separation regressions
HonzaCholasta
freeipa-github-notification at redhat.com
Thu Feb 16 10:20:54 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
Title: #471: Fix some privilege separation regressions
Action: opened
PR body:
"""
**client install: create /etc/ipa/nssdb with correct mode**
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.
Create the directory with mode 644 to fix the issue.
**server upgrade: fix upgrade in CA-less**
Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.
Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.
**server upgrade: fix upgrade from pre-4.0**
update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.
Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.
**server upgrade: always upgrade KRA agent PEM file**
Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.
Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.
https://fedorahosted.org/freeipa/ticket/5959
https://fedorahosted.org/freeipa/ticket/6675
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pr-471.patch
Type: text/x-diff
Size: 8748 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170216/f207e679/attachment.bin>
More information about the Freeipa-devel
mailing list